F5 Local Traffic Policy

[Nancy Benigar]

ServiceInternal Traffic Policy enables internal traffic restrictions to only routeinternal traffic to endpoints within the node the traffic originated from. The"internal" traffic here refers to traffic originated from Pods in the currentcluster. This can help to reduce costs and improve performance.

The kube-proxy filters the endpoints it routes to based on thespec.internalTrafficPolicy setting. When it's set to Local, only node localendpoints are considered. When it's Cluster (the default), or is not set,Kubernetes considers all endpoints.

I recently got enjoy the GUI for local traffic policy management and determined that it's an abomination. You can't duplicate a policy so it's click-click-click all the way through to add eight near identical policies. You can't rename so that one where I forgot to update the name, delete and rebuild. Oh, and there's no true default policy so if you have one that's supposed to be the default you need to manually drag it to the end of the list.

When I attach DOS and BOT profiles with local traffic policy or iRule I always need a default BOT and DOS profile even when I have a default rule that catches all the traffic. That is one thing but the strangest thing is when I decide to attach a Bot profile with iRule it does not work but the Local traffic policies allow this.

This is getting more complicated the more I research it. Here goes... When a request contains a specific URL, I'd like to modify my local traffic policy to redirect traffic to an ASM policy that is different (modified) than the one applied to the VIP in question. And have all other traffic route normally to the applied ASM policy.

I just created address book based security policies allowing only specific subnets from my SRX240 and denying all other via the defaul policy deny-all. But the problem is i still can ping other networks which are not allowed in the policy. When looked at the policy that was allowing the traffic using " show security flow sessions" i saw the "self-traffic-policy" as reproduced below..

The Security Policy is for transit traffic traversing the SRX firewall , As per the session details I see that you are initiating the traffic from the device , for which the normal security policy does not apply and it will take the self generated traffic policy ( by default ) since this is host genetared traffic or system generated traffic .

You are right i generated the traffic from the device but while pinging the remote server i chose the l3 gateway of LAN devices attached to SRX240 as source i.e "ping 172.16.20.2 source 192.168.1.2 (l3 gateway of LAN PCs)". If it is accessible from the gateway it will be surely accessible from the PCs as well ???. Attached is the pic showing the layout of network. further clarification and solution will be appreciated ..

Thanks for the update . Even if you source the packet originated from the device with Trust Interface IP , it will take the self traffic policy since the packet is generated from RE . Only the source Ip changes from Untrust Interface IP to Trust IP.

Your answer makes sense. I will confirm it by pinging the server from a LAN device and mark ur reply as accepted solution. In the mean time if u have link to some study material regarding this self-traffic-policy for my own learning, will be appreciated..

These settings are for incoming traffic (local-in) and outgoing traffic (local-out).

Local traffic does not fall under the same policies as traffic passing through the FortiGate.

Local traffic is allowed or denied instead based on interface configuration (Administrative Access), VPN and VIP configuration, explicitly defined local traffic policies and similar configuration items.

This means local traffic does not have an associated policy ID unless user-defined local policies have been configured.

If there is no user-defined local policy applying to the logged traffic, logs will instead show policy ID 0.

In this case, policy ID 0 is NOT the same as implicit deny.

Example local traffic log (for incoming RIP message):

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

DestinationRule defines policies that apply to traffic intended for aservice after routing has occurred. These rules specify configurationfor load balancing, connection pool size from the sidecar, and outlierdetection settings to detect and evict unhealthy hosts from the loadbalancing pool. For example, a simple load balancing policy for theratings service would look as follows:

Version specific policies can be specified by defining a namedsubset and overriding the settings specified at the service level. Thefollowing rule uses a round robin load balancing policy for all trafficgoing to a subset named testversion that is composed of endpoints (e.g.,pods) with labels (version:v3).

Traffic policies can be customized to specific ports as well. Thefollowing rule uses the least connection load balancing policy for alltraffic to port 80, while uses a round robin load balancing setting fortraffic to the port 9080.

A list of namespaces to which this destination rule is exported.The resolution of a destination rule to apply to a service occurs in thecontext of a hierarchy of namespaces. Exporting a destination rule allowsit to be included in the resolution hierarchy for services inother namespaces. This feature provides a mechanism for service ownersand mesh administrators to control the visibility of destination rulesacross namespace boundaries.

Criteria used to select the specific set of pods/VMs on which thisDestinationRule configuration should be applied. If specified, the DestinationRuleconfiguration will be applied only to the workload instances matching the workload selectorlabel in the same namespace. Workload selectors do not apply across namespace boundaries.If omitted, the DestinationRule falls back to its default behavior.For example, if specific sidecars need to have egress TLS settings for services outsideof the mesh, instead of every sidecar in the mesh needing to have theconfiguration (which is the default behaviour), a workload selector can be specified.

Traffic policies specific to individual ports. Note that port levelsettings will override the destination-level settings. Trafficsettings specified at the destination-level will not be inherited whenoverridden by port-level settings, i.e. default values will be appliedto fields omitted in port-level traffic policies.

A subset of endpoints of a service. Subsets can be used for scenarioslike A/B testing, or routing to a specific version of a service. Referto VirtualService documentation for examples of usingsubsets in these scenarios. In addition, traffic policies defined at theservice-level can be overridden at a subset-level. The following ruleuses a round robin load balancing policy for all traffic going to asubset named testversion that is composed of endpoints (e.g., pods) withlabels (version:v3).

One or more labels are typically required to identify the subset destination,however, when the corresponding DestinationRule represents a host thatsupports multiple SNI hosts (e.g., an egress gateway), a subset without labelsmay be meaningful. In this case a traffic policy with ClientTLSSettingscan be used to identify a specific SNI host corresponding to the named subset.

Traffic policies that apply to this subset. Subsets inherit thetraffic policies specified at the DestinationRule level. Settingsspecified at the subset level will override the corresponding settingsspecified at the DestinationRule level.

Represents the warmup duration of Service. If set, the newly created endpoint of serviceremains in warmup mode starting from its creation time for the duration of this window andIstio progressively increases amount of traffic for that endpoint instead of sending proportional amount of traffic.This should be enabled for services that require warm up time to serve full production load with reasonable latency.Please note that this is most effective when few new endpoints come up like scale event in Kubernetes. When all theendpoints are relatively new like new deployment, this is not very effective as all endpoints end up getting sameamount of requests.Currently this is only supported for ROUND_ROBIN and LEAST_REQUEST load balancers.

Determines whether to distinguish local origin failures from external errors. If set to trueconsecutive_local_origin_failure is taken into account for outlier detection calculations.This should be used when you want to derive the outlier detection status based on the errorsseen locally such as failure to connect, timeout while connecting etc. rather than the status codereturned by upstream service. This is especially useful when the upstream service explicitly returnsa 5xx for some requests and you want to ignore those responses from upstream service while determiningthe outlier detection status of a host.Defaults to false.

Number of gateway errors before a host is ejected from the connection pool.When the upstream host is accessed over HTTP, a 502, 503, or 504 returncode qualifies as a gateway error. When the upstream host is accessed overan opaque TCP connection, connect timeouts and connection error/failureevents qualify as a gateway error.This feature is disabled by default or when set to the value 0.

Note that consecutive_gateway_errors and consecutive_5xx_errors can beused separately or together. Because the errors counted byconsecutive_gateway_errors are also included in consecutive_5xx_errors,if the value of consecutive_gateway_errors is greater than or equal tothe value of consecutive_5xx_errors, consecutive_gateway_errors will haveno effect.

Number of 5xx errors before a host is ejected from the connection pool.When the upstream host is accessed over an opaque TCP connection, connecttimeouts, connection error/failure and request failure events qualify as a5xx error.This feature defaults to 5 but can be disabled by setting the value to 0.

3a8082e126